| Developers: | Cisco Systems |
| Date of the premiere of the system: | October 2023 |
| Branches: | Electrical and Microelectronics |
| Technology: | OS |
2023
Cisco fixed dangerous vulnerabilities, but hackers managed to seize about 400 devices in Russia
According to various security researchers, a vulnerability in the web interface of Cisco (BDU:2023-06875) devices has already been actively exploited since September 28. Moreover, in the process of investigating incidents related to the exploitation of this vulnerability, another unknown error was discovered, which allows you to raise the authority on the device to administrative - now it has received the CVE-2023-20273 index. As a result of exploiting a chain of these vulnerabilities, implants have been introduced into Cisco router and switch operating systems around the world that allow them to be remotely managed using Lua programs.
Cisco released fixes for its Cisco IOS XE product on October 23, which fixes both vulnerabilities and prevents them from being exploited in the future. Moreover, the update fixes both the first vulnerability (BDU: 2023-06875) and the second (CVE-2023-20273). For Russian companies, the installation of these fixes is recommended, but only after a thorough security check. However, even after installing the fixes, it is still worth fully examining the configuration of devices for their security and the absence of extraneous accounts with administrator rights. Only then will it be possible to turn back on the web management interface for devices.
However, on October 23, information appeared about another vulnerability (it received the number CVE-2023-20109) in the same product - in the Group Encrypted Transport VPN ( GET VPN) module. The new vulnerability also allows you to raise privileges in the system, that is, it can be used instead of the second CVE-2023-20273 vulnerability. It has an average level of danger, and a patch has already been developed for it. But it seems that attackers have begun to closely investigate Cisco IOS and IOS XE, as they give them a good chance to succeed, so other vulnerabilities in the corresponding software are likely to appear in the near future .
The successful exploitation of the BDU:2023-06875 vulnerability is also evidenced by the previously published figures of the discovered vulnerable systems. Moreover, there are vulnerable devices, including in Russia.
 | There are more than a thousand vulnerable nodes in Runet, "Sergei Gordeichik, CEO of SayberOK, told TAdviser. - As of October 17, just under 500 devices with an installed implant were observed. After the attackers changed the authorization scheme, on October 24, a little less than 400 devices with an installed implant were observed. |  |
FSB Cyber Incident Tracking Center issued recommendations on how to protect against hacking through a hole in Cisco equipment
National Coordination Centre for Computer Incidents (NCCCI) On October 18, he sent a warning about the discovery of a dangerous vulnerability operating system Cisco IOS in the XE web interface (BDU:2023-06875, CVE-2023-20198), which is associated with errors in managing privileges. According to the Center, exploitation of the vulnerability can allow an offender acting remotely to elevate their privileges by creating a new administrator account. According to CVSS, this vulnerability was rated 10 out of 10, which means its easy and remote execution, no need to interact with the user and the ability to execute its code on a vulnerable device.
The danger of vulnerability is that Cisco routers and switches are mainly corporate devices that can nevertheless be accessed using web requests from outside. The situation is aggravated by the fact that there is no full-fledged fix for the vulnerability, although NCCC has issued recommendations to reduce the possibility of exploiting it - disabling the vulnerable web interface. The center strongly recommends that Cisco hardware owners do the following in the very near future:
- check devices for vulnerabilities (the command is sent from a workstation that has access to the vulnerable system; systemip is the IP address of the system being tested): "curl -k -X POST" https ://systemip/webui/logoutconfirm.html? logon_hash = 1 ""
- disable HTTP or HTTPS server functions by executing the following commands in the operating system of switches and routers: "no ip http server" and "no ip http secure-server" (in global configuration mode);
- Use intrusion detection and prevention systems to track indicators of compromise and new users with administrator rights
- use virtual private network (VPN) technology to organize remote access.
- Configure Web Application Layer Firewall to restrict remote access to a vulnerable Web interface
- Restrict access from external networks to Cisco devices.
In modern conditions, such a vulnerability has attracted increased attention of hackers, which provoked its active exploitation around the world. At the same time, the number of vulnerable devices around the world turned out to be quite large. So by Friday morning, October 20, the Censys search engine, configured to search for vulnerable devices almost according to the recommendations of the NCCC, discovered 42 thousand vulnerable devices available from the Internet. By the evening of October 20, the number of vulnerable devices increased to 62 thousand, but by October 23 - decreased to 52.6 thousand. Apparently, administrators began to actively turn off the vulnerable web interface so that attackers could not use it. The leaders in the number of available vulnerable devices were the United States (7.5 thousand devices), Chile (3.8 thousand) and Mexico (3.5 thousand). Russia by the number of available from the Internet is not one of the twenty leaders, that is, the number of vulnerable devices in our country does not exceed 600.
Recognition of the existence of a critical hole, asking users to turn off the equipment
On October 16, 2023, Cisco announced the discovery of a critical hole in its IOS XE operating system, which is used on various network devices. The flaw is actively exploited by cybercriminals, and a fix for it does not exist as of the specified date.
Vulnerability (CVE-2023-20198) received a maximum hazard rating of 10 points (CVSS). The hole allows a remote cybercriminal who has not been authenticated to create an account with privilege level 15 on the device, which in fact gives him complete control over the compromised system. An attacker can then use this account to perform various destructive and malicious operations.
The investigation showed that the first attacks through the discovered vulnerability date back to September 18, 2023. The invasion scheme provides for the use of a special malicious implant in the Lua programming language, but the mechanism for its introduction into the system as of October 17, 2023 has not been fully determined. The issue is relevant for all Cisco IOS XE-based devices that have Web Interface enabled.
Given that there are no fixes or workarounds to fix the hole, Cisco recommends that IOS XE hardware users disable the HTTP server feature on all Internet-connected devices. It is estimated that up to 80,000 different Cisco network devices are attacked globally.
| | Cisco did not provide a list of affected devices, which means that any switch, router or WLC (Wireless LAN Controller) running IOS XE and having a web interface is vulnerable, said Mayuresh Dani, Qualys security threat research specialist.[1] | |
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |